yajwt Error when decoding jwt

potions_poe · April 1, 2022, 3:32pm

I am trying to decode a jwt from Cognito, I retrieved the public key from the client portal and it looked like this:

{
	"keys": [{
		"kid": "1234example=",
		"alg": "RS256",
		"kty": "RSA",
		"e": "AQAB",
		"n": "1234567890",
		"use": "sig"
	}, {
		"kid": "5678example=",
		"alg": "RS256",
		"kty": "RSA",
		"e": "AQAB",
		"n": "987654321",
		"use": "sig"
	}]
}

Using yajwt I tried to verify the jwt signature and got this error:

{:error, {:iss, "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_ay8FtC5WW"}}

Decode code:

JWT.verify(token, %{
  alg: "RS256",
  key: JWT.Algorithm.RsaUtil.public_key(key)
})

The key is pem format and parse to RSA using the JWT package (yajwt)

The error does not make any sense to me, it just throws an error and returns the iss and the aud plus the exp if the token has expired. At this point I have worked through invalid signature errors and invalid algorithm errors.

Has anyone encountered this error before?

enkr1 · November 21, 2022, 7:21am

Is this still on going?

potions_poe · November 21, 2022, 1:12pm

Yeah. It turned out that when interacting with AWS Cognito for identity it’s easier to use JOSE.jwk. Worked right out of the box.